New Malware Variants, Telecom Legislation, GDPR Enforcement Actions
TLP White: In this edition of Hacking Healthcare, we begin by describing two new malware variants and their methods of infiltrating protected systems. Then, we turn, again, to U.S. legislators’ efforts to crack down on Chinese telecom giants via export control legislation. Finally, we discuss General Data Protection Regulation (“GDPR”) enforcement actions instituted by European regulators that could result in hefty fines for companies who have violated the law.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog.
Welcome back to Hacking Healthcare.
Hot Links –
1. Security Researchers Discover New Malware Variants.
Security researchers discovered two new malware variants last week. One such variant uses malicious apps in Google Play to facilitate the installation of Anubis banking malware on cellular devices. The apps access smartphones’ motion sensors to detect whether the targeted phone is in motion before installing a banking trojan on the device.[1] The apps use this tactic to ensure that the malware will run on a real user’s smartphone instead of on an emulator, a software program used by security researchers to detect vulnerabilities and malicious software. Once the malware identifies that it is targeting a true user’s phone, it tries to trick users into agreeing to fake system updates. After users install the updates, the malware is able to access users’ account credentials and take screenshots of the infected device’s screen.
The second is a cryptomining software variant that uninstalls Chinese cloud security and monitoring products.[2] Instead of infiltrating or compromising the security products directly, the malware works to gain admin-level control over machines before removing the security software. The malware operates by downloading a shell script to the system and executing a number malicious activities, including uninstalling cloud workload protection platforms. Researchers have published reports on both the Anubis banking malware and the cryptomining malware in an effort to educate industry about the variants.[3]
2. U.S. Legislators Introduce Export Bill With Sights Set on Telecom Industry.
Last week a bipartisan group of congressmen introduced legislation that would ban exports to companies violating U.S. sanctions laws.[4] The bill, which is aimed at Chinese telecommunications leaders Huawei and ZTE, would go further than a previously enacted law that prohibits the U.S. government from using Huawei and ZTE products.[5] As we’ve previously reported, Canadian officials arrested Huawei’s Chief Financial Officer late last year for running afoul of sanctions statutes. ZTE also recently signed a settlement order with the U.S. government after the company sent telecom equipment to U.S.-sanctioned nations Iran and North Korea.[6]
Legislators have openly questioned whether Chinese telecommunications equipment poses a threat to U.S. national security. Some claim that the products produced by Huawei and ZTE allow the Chinese government to spy on Americans. Huawei, for instance, has particular ties to the Chinese government, as its founder is a former member of China’s People’s Liberation Army.[7] Just last year, U.S. officials warned Americans that they shouldn’t use Huawei or ZTE phones, because the products have “the capacity to maliciously modify or steal information.”[8] If the new export ban for sanctions violations bill passes the House and Senate and receives the President’s approval, Huawei and ZTE will no longer be able to take advantage of U.S. technologies or incorporate them into their products and services.[9]
3. European Regulators Institute GDPR Enforcement Actions.
From our “This is Just the Beginning” department, we have two European regulators who recently took steps to enforce the GDPR against companies who allegedly mishandled European citizens’ data. Last week, the U.K.’s Information Commissioner’s Office (“ICO”) issued a formal notice to AggregateIQ, a Canadian targeted advertising company, for violating the GDPR.[10] A number of Pro-Brexit organizations paid AggregateIQ millions of British pounds to disseminate ads in support of the country’s exit from the European Union in 2016. The ICO’s notice cites AggregateIQ’s conduct from the Brexit campaign period, which occurred approximately two years before the GDPR became effective on May 25, 2018.[11] The ICO has charged AggregateIQ with processing Europeans’ personal information for purposes outside of the scope of what consumers would expect. AggregateIQ’s continued retention and processing of such consumers’ data over an extended period of time prompted the British regulatory authority to take action. AggregageIQ could face a fine of up to about £20 million if it does not comply with the ICO’s demands.
The French data protection authority, the Commission nationale de l’informatique et des libertés (“CNIL”), also made news this week by imposing the largest-ever GDPR fine. CNIL has levied a €50 million fine on Google for the company’s failure to provide enough information to users about its data consent policies.[12] CNIL also charged that Google did not give European consumers enough control over how their information would be used.[13] Though this is the largest fine ever sought by a European data protection regulator for a violation of the GDPR, it does not come close to the maximum fine allowed by the law, which is 4% of a given company’s worldwide revenue.[14]
Congress –
Tuesday, January 22:
–No relevant hearings.
Wednesday, January 23:
–No relevant hearings.
Thursday, January 24:
–No relevant hearings.
International Hearings/Meetings –
EU – No relevant hearings.
Conferences, Webinars, and Summits –
–Medical Device Security 101 Conference – Orlando, FL (1/21/19-1/22/19) <https://nhisac.org/events/nhisac-events/medical-device-security-101-conference/>
–FIRST Symposium 2019 – London, UK (3/18/19-3/20/19)
<https://nhisac.org/events/nhisac-events/first-symposium-2019/>
–HEALTH IT Summit (Midwest) – Cleveland, OH (3/19/19-3/20/19)
<https://h-isac.org/hisacevents/health-it-summit-cleveland-2019/>
–National Association of Rural Health Clinics Spring Institute – San Antonio, TX (3/20/19-3/22/19)
<https://h-isac.org/hisacevents/national-assoc-of-rural-health-clinics-spring-institute/>
–HSCC Joint Cybersecurity Working Group – San Diego, CA (4/3/19 – 4/4/19)
<https://h-isac.org/hisacevents/hscc-joint-cybersecurity-working-group/>
–H-ISAC CYBER RX – IOMT Executive Symposium – Munich, Germany (4/15/2019 – 4/16/2019)
<https://h-isac.org/hisacevents/cyberrx-iomt-executive-symposium/>
–HEALTH IT Summit (Southern California) – San Diego, CA (4/23/19-4/24/19)
<https://h-isac.org/hisacevents/health-it-summit-southern-california-2019/>
–HEALTH IT Summit (Florida) – Wesley Chapel (5/21/19-5/22/19)
<https://h-isac.org/hisacevents/health-it-summit-florida-2019/>
–2019 NH-ISAC Spring Summit – Ponte Vedra Beach, FL (5/13/19-5/17/19) <https://www.marriott.com/hotels/travel/jaxsw-sawgrass-marriott-golf-resort-and-spa/>
–HEALTH IT Summit (Southeast) – Nashville, TN (6/13/19-6/14/19)
<https://h-isac.org/hisacevents/health-it-summit-southeast-2019/>
–CybSec and Blockchain Health – London, UK (7/11/19-7/12/19)
<https://h-isac.org/hisacevents/cybsec-and-blockchain-health/>
–HEALTH IT Summit (Rocky Mountain) – Denver, CO (7/15/19-7/16/19)
<https://h-isac.org/hisacevents/health-it-summit-rocky-mountain/>
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/19-10/4/19)
<https://h-isac.org/hisacevents/health-it-summit-northeast/>
Sundries –
—Cybercriminals ‘hide in plain sight’ to shake down West African financial players
<https://www.cyberscoop.com/west-africa-cybercrime-symantec-living-off-the-land/>
—Two Ukrainians charged with hacking into SEC’s EDGAR database
<https://www.cyberscoop.com/sec-edgar-hack-charges/>
—Nearly 773 million email addresses leaked, spelling trouble for people who re-use passwords
<https://www.cyberscoop.com/email-passwords-leaked-troy-hunt-mega/?category_news=technology>
—AI in healthcare – not so fast? Study outlines challenges, dangers for machine learning
<https://www.healthcareitnews.com/news/ai-healthcare-not-so-fast-study-outlines-challenges-dangers-machine-learning>
—Amazon Web Services: AI, data analytics and cloud are converging to drive down costs and boost care quality
<https://www.healthcareitnews.com/news/amazon-web-services-ai-data-analytics-and-cloud-are-converging-drive-down-costs-and-boost-care>
—Report: DOJ pursuing criminal charges against Huawei for theft of tech
<https://arstechnica.com/tech-policy/2019/01/report-doj-pursuing-criminal-charges-against-huawei-for-theft-of-tech/>
—FCC asks court for delay in case that could restore net neutrality rules
<https://arstechnica.com/tech-policy/2019/01/fcc-asks-court-for-delay-in-case-that-could-restore-net-neutrality-rules/>
—EU Copyright Directive to Turn Google into Ghost Town
<https://www.bleepingcomputer.com/news/google/eu-copyright-directive-to-turn-google-into-ghost-town/>
—Over 140 International Airlines Affected by Major Security Breach
—New ‘Magecart’ group used ad plugin to steal payment data from hundreds of websites
<https://www.cyberscoop.com/magecart-group-12-adverline-riskiq-trend-micro/>
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://arstechnica.com/information-technology/2019/01/google-play-malware-used-phones-motion-sensors-to-conceal-itself/
[2] https://threatpost.com/cryptomining-malware-uninstalls-cloud-security-products/140959/
[3] https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/
[4] https://arstechnica.com/tech-policy/2019/01/lawmakers-seek-harsh-penalties-against-zte-and-huawei/
[5] https://arstechnica.com/tech-policy/2018/08/trump-signs-bill-banning-feds-from-using-huawei-zte-technology/
[6] http://fortune.com/2018/04/17/zte-american-tech-ban-sanctions/
[7] https://www.npr.org/2018/12/07/674467994/huawei-and-the-chinese-government
[8] https://www.theverge.com/2018/2/14/17011246/huawei-phones-safe-us-intelligence-chief-fears
[9] https://www.bleepingcomputer.com/news/government/bipartisan-bill-introduced-to-ban-sale-of-us-tech-to-chinese-companies/>
[10] https://www.bbc.com/news/technology-45589004
[11] https://gdpr.report/news/2018/09/21/ico-puts-aggregate-iq-notice/
[12] https://adexchanger.com/privacy/france-slaps-google-with-50-million-euro-fine-largest-yet-under-gdpr/
[13] https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc
[14] https://www.theverge.com/2019/1/21/18191591/google-gdpr-fine-50-million-euros-data-consent-cnil